helmet: Add featurePolicy (#39673)

feture-policy provides TS typings with it, but it doesn't export the interface for the options parameter. We could have used conditional typings and infered the type of the parameter, but that would have restricted the minimum TS version to 2.8, so instead I created the interface definition here. Resolves #37627
2026-06-28 14:20:12 +00:00 · 2019-10-30 00:11:46 +02:00
parent d3197b0554
commit 91c3deba3c
2 changed files with 39 additions and 0 deletions
--- a/types/helmet/helmet-tests.ts
+++ b/types/helmet/helmet-tests.ts
@@ -18,6 +18,16 @@ function helmetTest() {
        action: 'deny'
      }
    }));
+    app.use(helmet({
+      featurePolicy: {
+        features: {
+          fullscreen: ["'self'"],
+          vibrate: ["'none'"],
+          payment: ['example.com'],
+          syncXhr: ["'none'"]
+        }
+      }
+    }))
 }

 /**
@@ -244,3 +254,18 @@ function permittedCrossDomainPoliciesTest() {
    app.use(helmet.permittedCrossDomainPolicies({}));
    app.use(helmet.permittedCrossDomainPolicies({ permittedPolicies: 'none' }));
 }
+
+/**
+ * @summary Test for {@see helmet#featurePolicy} function.
+ */
+function featurePolicyTest() {
+  app.use(helmet.featurePolicy({
+    features: {
+      fullscreen: ["'self'"],
+      vibrate: ["'none'"],
+      payment: ['example.com'],
+      syncXhr: ["'none'"]
+    }
+  }));
+}
+
--- a/types/helmet/index.d.ts
+++ b/types/helmet/index.d.ts
@@ -13,6 +13,7 @@ declare namespace helmet {
    export interface IHelmetConfiguration {
        contentSecurityPolicy?: boolean | IHelmetContentSecurityPolicyConfiguration;
        dnsPrefetchControl?: boolean | IHelmetDnsPrefetchControlConfiguration;
+        featurePolicy?: IFeaturePolicyOptions;
        frameguard?: boolean | IHelmetFrameguardConfiguration;
        hidePoweredBy?: boolean | IHelmetHidePoweredByConfiguration;
        hpkp?: boolean | IHelmetHpkpConfiguration;
@@ -26,6 +27,12 @@ declare namespace helmet {
        permittedCrossDomainPolicies?: boolean | IHelmetPermittedCrossDomainPoliciesConfiguration;
    }

+    export interface IFeaturePolicyOptions {
+        features: {
+            [featureName: string]: string[];
+        };
+    }
+
    export interface IHelmetPermittedCrossDomainPoliciesConfiguration {
        permittedPolicies?: string;
    }
@@ -196,6 +203,13 @@ declare namespace helmet {
         */
        dnsPrefetchControl(options?: IHelmetDnsPrefetchControlConfiguration): express.RequestHandler;

+        /**
+         * @summary Restrict which browser features can be used
+         * @param {IFeaturePolicyOptions} options The options
+         * @return {RequestHandler} The Request handler
+         */
+        featurePolicy(options: IFeaturePolicyOptions): express.RequestHandler;
+
        /**
         * @summary Prevent clickjacking.
         * @param {IHelmetFrameguardConfiguration} options The options